"passwd" by root for user fails with sssd,pam, ldap

Gordon Messmer gordon.messmer at gmail.com
Tue Jul 23 05:20:55 UTC 2013 

On 07/22/2013 02:18 PM, Augustin Wolf wrote:
> Okay, it isn't safe to store root password in a file. By all my
> administrator heart I agree. But I don't see why you have to store it
> in a plain text file. Could you please expand on that?

Because that's how LDAP works.  In order to change a password, 
generally, you need to connect and authenticate as an admin or connect 
and authenticate as the user whose password will be changed.

That means that either you need the admin's DN and plain-text password 
in a file (like the older PAM LDAP does) or you need the user to enter 
their own password (like both sssd and PAM LDAP do).

> You can point
> what user is SSSD using, by customizing "ldap_default_bind_dn",
> there's also password for LDAP Manager in "ldap_default_authtok" - as
> far as I understand this is the user that is performing all the
> actions via LDAP server.

It's used for searches, generally when your directory doesn't allow 
anonymous searches.

> It does work when I'm changing password as a
> user using "passwd", right?

"It" consists of connecting to the LDAP server with the password given 
by the user.  "It" can't work for an administrator because there's no 
password to give to the directory.

> Btw. plain-text passwords: There's option "ldap_sasl_authid", that
> from what It seems is using Kerberos keytab (which is encrypted).
> (Unfortunately using it in my case it didn't help at all.)

I believe that's used for searches as well.

> There are also other plain text password vulnerabilities:
> [root at ldap ~]# grep bindpw /etc/*
> /etc/nslcd.conf:bindpw somesecretpass
> /etc/pam_ldap.conf:bindpw somesecretpass
> /etc/sudo-ldap.conf:bindpw somesecretpass
> and:
> /etc/ldap.secret

None of those are provided by sssd.  The developers who wrote the 
software which uses those files don't share the same concerns that the 
sssd developers have.

By the way: Stephen Gallagher is one of the sssd developers, so you 
should probably take his word when he tells you what sssd does and 
doesn't do.

> Despite it - having logged in to root account gives full control over
> system. One can change "rootpw" in /etc/openldap/slapd.conf (or olc*
> directory style config) and change users password using ldappasswd
> using admin DN and skipping ACL.

...which is what Stephen suggested that you do.  LDAP is a network 
service, and as such the "root" user has not special privileges.  root's 
privileges are more or less limited to the filesystem.

> I'm heading to using LDAP as an backend database for Kerberos. As far
> as I got all users are in LDAP, different branches of LDAP directory
> and I'm having great trouble to find comfortable way of managing them.
> Wouldn't be possible ask root for administrative password before
> changing user password, and don't store it anywhere ?

With ldappasswd, yes.

More information about the users mailing list